Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionNVD
LogicalDoc before 8.3.3 allows SQL Injection. LogicalDoc populates the list of available documents by querying the database. This list could be filtered by modifying some of the parameters. Some of them are not properly sanitized which could allow an authenticated attacker to perform arbitrary queries to the database.
AnalysisAI
LogicalDoc before 8.3.3 allows SQL Injection. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Technical ContextAI
This vulnerability is classified as SQL Injection (CWE-89), which allows attackers to execute arbitrary SQL commands against the database. LogicalDoc before 8.3.3 allows SQL Injection. LogicalDoc populates the list of available documents by querying the database. This list could be filtered by modifying some of the parameters. Some of them are not properly sanitized which could allow an authenticated attacker to perform arbitrary queries to the database. Affected products include: Logicaldoc. Version information: before 8.3.3.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Use parameterized queries/prepared statements. Never concatenate user input into SQL. Apply least-privilege database permissions.
More in Logicaldoc
View allLogicalDoc before 8.3.3 could allow an attacker to upload arbitrary files, leading to command execution or retrieval of
LogicalDoc Community Edition 7.5.3 and prior is vulnerable to XXE when indexing XML documents. Rated high severity (CVSS
LogicalDoc Community Edition 7.5.3 and prior contain an Incorrect access control which could leave to privilege escalati
A local privilege elevation vulnerability exists in the file system permissions of LogicalDoc 8.5.1 installation. Rated
LogicalDoc before 8.3.3 allows /servlet.gupld Directory Traversal, a different vulnerability than CVE-2020-9423 and CVE-
LogicalDOC Community Edition 8.x before 8.2.1 has a path traversal vulnerability that allows reading arbitrary files and
LogicalDoc Community Edition 7.5.3 and prior is vulnerable to an XSS when using preview on HTML document. Rated medium s
The API used to interact with documents in the application contains two endpoints with a flaw that allows an authenticat
The Automation Scripting functionality can be exploited by attackers to run arbitrary system commands on the underlying
LogicalDOC Community Edition up to 9.2.1 fails to implement rate limiting on the admin login page (/login.jsp), allowing
There is a reflected cross-site scripting (XSS) within JSP files used to control application appearance. Rated medium se
Stored cross-site scripting (XSS) in LogicalDOC Community Edition up to 9.2.1 allows authenticated users to inject malic
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today